Simulation on TZ-400
DisaRicks
Newbie ✭
Hi everybody,
i uses severals TZ-400 on a big infrastructure in a very secure environnement.
I've to make some changes on the firewalls but i can't have a test environnement.
My question is : is it possible to have a flow simulation into a TZ-400
For example : is it possible to simulate a flow entering by X2 to a special IP with a special Port.
Like this i can try this flow without waiting.
Thank you
Eric
Category: Mid Range Firewalls
0
Best Answer
-
CORRECT ANSWERDisaRicks
Newbie ✭
I solve a part of my problem.....
So many hours to search for finally :
Thanks a lot for your help...
Without you, i'll search again and again....
Thanks!
0
Answers
Hi @DisaRicks
Sonicwall supposed to provide ENG/GNS3 image for education / training purpose.
@Saravanan @shiprasahu93
Appreciated if you could have provide E-NG or GNS3 image of the Firewall for the testing / development environment purpose.
Hi @DisaRicks do you mean something like Investigate -> Tools -> Packet Replay?
https://www.sonicwall.com/support/knowledge-base/how-to-use-packet-replay/170915122451889/
--Michael@BWC
Hi @DisaRicks,
What @BWC suggested would be the best way to replay the kind of flow that you are trying to.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi, thank you very much for your answers.
I try to use the Packet Replay but i'm not sure for the result.
When a real test is made, i received this in the packet monitor :
As you can see, the packet is Dropped from 159.50.228.23 to 172.20.85.31 with port 443.
I create a PCAp fil from this packet monitor.
Now i use Packet REPLAY and i use the PcapFile just create.
I put in IP1 : 159.50.228.23 on Interface X2
I put in IP2 : 172.20.85.31 on interface X2 (that's my problem i think. Normally, the flow must go through the VPN on X1 interface but not X1 in the drop box)
and i receive:
Here the packet is received....
I'm lost
My real problem is the following :
I must received a packet from an IP in the range 159.50.228.0-255.255.255.192 on X2 Interface
This packet must go et the 172.20.85.31 Ip on another network accros VPN on X1 interface with the port 443
It doesn't work.
I do exactelly the same that for another flow from the same interface with ip in 10.22.0.0/24 to the 172.20.85.32 on port 10611 for example and this one in fully fonctionnal.
Same route, same rules.... I don't find the reason.... I expect the port 443. Does this port special?
Thank you very much for your help
Eric
@DisaRicks,
The packet replay feature only shows how the firewall will process and will not send the packet outside of the firewall. Could you please share how the interface X2 is configured, the routes you have in place, and the networks included in VPN? That should help us troubleshoot this issue.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93
here is the configuration of the X2 interface
here ares the rules
The red arrow shows the concerned route for my case
Where Serveurs_Marne is 159.50.0.0/255.255.0.0
and PASTEUR_NETWORK includes the network 172.20.85.0/255.255.255.0
Any Port
For Information , the route in blue arrow works perfectly
Where CE_BNPPFR include for example the network 10.22.0.0/255.255.0.0
Everything accros a VPN thant included the followings networks
in my side
On the other side of the VPN, i see :
I create a rule to the VPN Zone allowing this packet : Erro 726 packet Dropped - Policy Route
I remove this rule because i think i don't need it accross the VPN : same error code 726
I'm completly lost.
Thank you.
@DisaRicks,
So, is it like you have both VPN as well as routing to PASTEUR_NETWORK which includes the network 172.20.85.0/255.255.255.0?
The only difference that I can see is that the non-working route is on a metric 5 although the other one is on 1.
What happens when you do a packet capture with the source as 159.50.228.23? Is that traffic getting dropped on the firewall?
I would suggest generating some real-time traffic and performing a packet capture with that source IP. It should not matter that the port is 443.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93
here is a ral time packet capture made a few minutes ago with the 159.50.228.33 ip source
As you can see, Error 726
I try to change the route METRIC to 1 : same error code
I send you the PCAP File (i change the extention to TXT, you must change it to PCAP) if you want to see it.
Thank you
@DisaRicks,
Based on the drop code, it looks like there is a missing access rule. What zone is Serveurs_Marne in?
Could you please check the access rule from that zone to VPN or whatever zone you have placed PASTEUR_NETWORK in?
Even if it is present make sure that the priority of that rule is set correctly and if there is any traffic on that rule.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93
I re-create the rule.
I verify that all my objects are in the good zones
I put the priority on 2 for this rule
but allways the same error code
No traffic on that rule !
Thanks !!
@DisaRicks,
In that case, I would suggest reaching out to SonicWall support for further assistance. We probably need to dig deeper and find out the root cause of this issue.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services